At present, the PluginArchetypeService uses the practice Service User to determine the security context. This means that:
all plugins use the same user.
any acts created by plugins will have the Service User assigned to the author node.
the permissions available to the plugin are determined by the Service User
Support is required to be allow the user to be assigned to a plugin.
There are a couple of ways of doing this:
1. support assigning users to the OSGi bundle. The configuration for this would need to be based on the symbolic name, as APF changes the bundle id each time a plugin is deployed. The PluginArchetypeService would determine which bundle is invoking it, and use the associated user
2. provide RunAs support for plugins. Here, the plugin configuration would identify the user to run the plugin as, and all API calls would be wrapped in a RunAs.run(user, runnable)
The first is preferable, as it doesn't pollute plugin code with RunAs calls.
Note that neither approach supports the case where the user must be inherited from the current session.
At this stage it is not an issue, but a RunAs.currentUser(Runnable) could be provided to support this.